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ABSTRACT 



In order to establish a protected channel between a user and 
a software program running on a computer system, a graphic 
display unique to the user is displayed along with the normal 
information entry graphics. A foreign program which might 
duplicate the overall appearance of the entry graphics cannot 
display the unique visual display which would appear on the 
legitimate entry screen of a particular user. Thus, a user 
looking at his entry screen can tell by the visual display 
whether the entry screen has been generated by a legitimate 
program or by a foreign impostor program. Further, since it 
might be possible for an unauthorized person to surrepti- 
tiously observe the unique display pattern on the entry 
screen of an authorized user, to increase security, a program 
constructed according to the principles of the invention, 
changes the visual display as information is entered based on 
the partially entered information. Thus, even if an unautho- 
rized person should oversee the entry of the information by 
an authorized user, memorize the display and incorporate the 
display in an impostor program, the impostor program 
would be unable to duplicate the sequence of visual displays 
which occurs during the entry of the information because the 
information itself is unknown. 

21 Claims, 7 Drawing Sheets 
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METHOD AND APPARATUS FOR programs. Thus, during the entry sequence, the user can be 

ESTABLISHING A PROTECTED CHANNEL sure that no 'foreign" programs are active. 

BETTWEEN A USER AND A COMPUTER The aforementioned scheme works well but is not avail- 

SYSTEM able to application programs. Since each application pro- 

5 gram must interface with the operating system like any other 

FIELD OF THE INVENTION application program, the application program itself cannot 

r^,. . i * * * j be programmed to recognize the CONTROL- ALT-DELETE 

This invention relates to computer security systems and, u„ u u * • * 1 1 «. 

" i - * * . «T . ^ "i 7 ' ,7" sequence because it would be terminated by the sequence, 

in particular, to systems in which a protected channel is in. r_ • . £ J * ^ * 

* ui- uji— *_ j « . « . . . Therefore, there is a need for an apparatus and a method 

established between a user and authorized software running * _ • ' n _ . o . o . , " 

6 jo for providing a protected channel between a user and 

in a computer system legitimate software which can be used by application pro- 

BACKGROUND OF THE INVENTION grams * 

Many computer systems utilize some type of security to SUMMARY OF THE INVENTION 

prevent unauthorized use. In the vast majority of systems, ^ foregoing problems are overcome and the foregoing 

this security takes the form of a single password per user for 15 need is met by one mustrative eirJ>odmient of me invention 

a particular company. This password is conventionally an 111 which a graphic display unique to the user is displayed 

arbitrary combination of characters known only to the user. ^ formal information entry graphics. A foreign 

„ * . . . * , , program which might duplicate the overall appearance of the 

Security is a major concern in computer networks because entiy U cs cannot display the umque visual display 

once an unauthorized person gains access to the network a ^ which would appear on me legitimate entry screen of a 

large number of files and information can then be accessed particular user. Thus, a user looking at his entry screen can 

by the unauthorized person and compromised. With the te u by the visual display whether the entry screen has been 

advent of the INTERNET, computer security has taken on generated by a legitimate program or by a foreign impostor 

additional urgency. Using the INTERNET, and a valid program 

password, unauthorized persons can gain access to computer ^ Further, since it might be possible for an unauthorized 

networks and improperly view and retrieve confidential person to surreptitiously observe the unique display pattern 

files. It is often very difficul t to t race the location of the on foe entry screen of an authorized user, to increase 

unauthorized user over the INTERNET connections. security, a program constructed according to the principles 

With the software sophistication increasing it is some- of the invention, changes the visual display as information 

times difficult for an authorized user to be sure that he is 30 is being entered based on the partially entered information, 

actually communicating with a legitimate program on his Thus, even if an unauthorized person should oversee the 

own system For example, it is possible for an unauthorized entry of the information by an authorized user, memorize the 

person to send an authorized user an "active" or 'Trojan display and incorporate the display in an impostor program, 

horse" mail message over an INTERNET connection. This the impostor program would be unable to duplicate the 

mail message is programmed to generate a visual display 35 sequence of visual displays which occurs during the entry of 

which is the same as a display generated by the legitimate the information because the information itself is unknown, 

program which appears when a user must enter information, This latter technique is particularly useful for secret 

such as his password. When the user enters the requested information, such as passwords. 

information into such a mail message, the entered characters Additional techniques are incorporated into one illustra- 
te captured and returned to the person who sent the mail 40 tive embodiment to prevent unauthorized persons from 
message, thereby compromising the information or examining the display screen as an authorized user types 
password, possibly without the user's knowledge. Still other each character in the information and thereby incrementally 
software merely records information passing between the obtaining the information. 

user and the legitimate program and forwards this informa- „, 

tion back to tht unauthorized "eavesdropper." 45 BREF MSCWPnON OF THE DRAWINGS 

Thus, it has been necessary to establish what is termed a fK*. 1 is a block diagram of a personal computer system 

protected channel" between a user and legitimate software. suitable for use with the present invention. 

Such a protected channel provides a means for a legitimate FIGS. 2A-2C are schematic illustrations of a portion of a 

program to interface with a user in a manner in which other password entry screen display which incorporates the inven- 

software cannot detect or record the mformation which 50 tive unique graphical display of the present invention. FIGS, 

passes between the user and the legitimate program There 2B and 2C illustrate typical graphical display changes which 

have been a number of prior art methods for providing such occur during the entry of a password, 

a protected channel to prevent information and valid pass- FIG. 3 is an illustrative flowchart of the steps involved in 

words from being stolen. One known method is embodied in establishing a unique ID code for a new user, 

the WINDOWS NT® operating system sold by the 55 FIG. 4 is an illustrative flowchart for a routine which 

Microsoft Corporation, Redmond, Wash. The WINDOWS generates a graphical display when the password entry 

NT® operating system provides a protected channel by screen graphics are initially displayed, 

requiring the user to enter a particular key sequence during HG. 5 is a schematic diagram illustrating apparatus for 

information (password) entry. The key sequence is germing a cryptographic hash of input values. 

CONTROL-ALT-DELETE. When the operating system 60 mG $, 6A 6B , when pi ace d together, form an illus- 

receives this sequence, it prompts the user for a password, flowchart for a routirie which changes ±c 

however, this key sequence terminates any application pro- graphical display during a password entry sequence. 

grams which arc in operation during the password entry 

sequence. Thus, any "Trojan horse" or eavesdropping pro- DETAILED DESCRIPTION OF THE 

grams will be terminated during the information entry 65 PREFERRED EMBODIMENT 

sequence. After the information has been entered correctly. FIG. 1 illustrates the system architecture for a conven- 

the operating system returns control to the application tional computer system, such as an IBM PS/2® computer on 
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which the inventive security system can operate. The exem- 
plary computer system of FIG. 1 is for descriptive purposes 
only. Though the description below may refer to terms 
commonly used in describing particular computer systems, 
such as an IBM PS/2 computer, the description and concepts 
equally apply to other systems, including systems having 
architectures dissimilar to FIG. 1. 

The exemplary computer 100 includes a central process- 
ing unit ("CPU") 1€5, which may include a conventional 
microprocessor; a system random access memory ( 4< RAM") 
U0 for temporary storage of information and a read only 
memory ("ROM") 115 for permanent storage of informa- 
tion* A memory controller 120 is provided for controlling 
system RAM 110; a bus controller 125 is provided for 
controlling bus 130; and an interrupt controller 135 is used 
for receiving and processing various interrupt signals. 

Mass storage may be provided by a diskette 142, a 
CD-ROM disk 147 or a hard disk 152. The diskette 142 can 
be inserted into a diskette drive 141, which is, in turn, 
connected to bus 130 by a controller 140. Similarly, the 
CD-ROM disk 147 can be inserted into a CD-ROM drive 
146, which is also connected by a controller 145 to bus 130. 
Finally, hard disks 152 are part of a fixed disk drive 151, 
which is connected to bus 130 by controller 150. 

Input and output to computer system 100 are provided by 
a number of devices. For example, a keyboard and mouse 
controller 155 connects to bus 130 for controlling a key- 
board input device 156 and a mouse input device 157. A 
DMA controller 160 is provided for performing direct 
memory access to system RAM 110. A visual display is 
generated by a video controller 165, which controls a video 
output display 170. The computer also includes a commu- 
nications adapter 190 which allows the system to be inter- 
connected to a local area network (LAN) or a wide area 
network (WAN) which is schematically illustrated by bus 
191. 

The computer 100 is generally controlled and coordinated 
by operating system software, such as the OS/2® operating 
system, available from the International Business Machines 
Corporation ("IBM"), Boca Raton, Ra. Conventional oper- 
ating systems control and schedule computer processes for 
execution, perform memory management, provide file 
system, networking, and I/O services, and provide a user 
interface, such as a graphical user interface ("GUT), among 
other things. User applications, such as editors and spread 
sheets, directly or indirectly, rely on these and other capa- 
bilities of the operating system. 

FIGS. 2A-2C depict illustrative screen displays generated 
by a preferred embodiment of the present invention. For 
example, as shown in FIG. 2A, the screen display 212 might 
be generated by a legitimate program in order to prompt for 
the entry of information such as a password. Although the 
following description relates especially to entry of password 
information, it is understood that the inventive arrangement 
can also be used to establish a protected channel during the 
entry of other information. Screen display 212 contains a 
password entry area 206 in which the password characters 
(for example, which might be entered on a keyboard) are 
echoed or displayed by the program In addition, to the left 
of the password entry area 206 is a graphic display area 
generated in accordance with the principles of the present 
invention. This graphic display area displays a unique 
graphical pattern for each authorized user. This pattern, for 
example, might be generated from a unique login ID which 
is received by the computer system when the user initially 
logs onto the computer. 
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In one illustrative embodiment, the graphical pattern 
consists of a pattern of separate icons which are chosen from 
a larger ''pool" of icons. The number of, and the actual icons 
in the pool are predetermined. For example, as shown in 

5 FIG. 2A, four icons 202, 204, 208 and 210 are shown which 
might be drawn from a fixed pool of sixteen possible icons. 
Alternatively, the unique graphic display can be generated 
from unique user information. Since die pattern of icons or 
the graphic display is unique to each authorized user, an 

10 impostor program which generates the general overall 
screen display 212 including the password entry area 206, 
without more, could not generate the unique pattern for a 
particular user. 
However, it is possible that unauthorized person could 

15 "look over the shoulder" of an authorized user and memo- 
rize the user's password pattern and then subsequently 
create an impostor program which also generated the pat- 
tern. In order to avoid the possibility of such counterfeiting, 
in accordance with the principles of the present invention, 

20 the password entry program is arranged to change the 
displayed pattern based on the entered portion of the pass- 
word. For example, as shown in FIG. 2B, the pattern of icons 
214, 216, 220 and 222 changes after several characters 225 
have been entered. Likewise, FIG. 2C shows a change in the 

25 icon pattern caused by the entry of an additional character 
238. Since the icon pattern changes are based on each 
entered character of the password, it is virtually impossible 
for an impostor program to duplicate the pattern of icons 
generated during password entry without knowing the pass- 

30 word. Furthermore, the final graphic display will depend on 
the actual password entered and therefore cannot be dupli- 
cated by an impostor program without knowledge of the 
password. 

Generally, the graphic display changes rapidly as the user 
35 types the password. However, it might still be possible for 
a person observing the screen during password entry to 
memorize the graphical display pattern sequence. Later, the 
person could enter different characters until by trial and error 
the identical display was produced. In this manner, a person 
40 could incrementally learn the password character by char- 
acter. In order to obviate this problem, the present invention 
utilizes several additional changes to the basic entry pattern. 
In particular, no changes are made to the unique graphic 
display initially displayed until a minimum number, for 
45 example four, characters have been entered. Further, the 
displayed graphic pattern is based not on the actual pass- 
word characters, but on a cryptographic hash of the entered 
characters. 

It is also possible to significantly complicate the trial and 

50 error approach by utilizing some non-unique function of the 
password characters to generate the graphic display. For 
example, a preferred method to generate the graphical 
display is to select icons from a pool of icons by parsing the 
entered character string, or some information derived from 

55 the entered character string, into bit groups and then using 
these bit groups to select the icons. For example, if a pool of 
sixteen icons is used men the password string, or a 
derivative, is parsed into four-bit groups and each group is 
then used to select an icon. However, in order to make the 

60 password entry scheme more complex and therefore more 
difficult to determine by trial and error decoding, each icon 
might for example be selected by generating the parity of 
each entered character, generating a derivative based on the 
parities and then parsing the derivative. With this 

65 modification, several different parsed groups would select 
the same icon, thus making the trial and error approach 
much more difficult 
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FIG. 3 is an illustrative flowchart which describes the given only the output of the one-way function, to reconstruct 

steps in a routine used to assign a new ID code to a new user. the input There are several such functions well-known to 

The rectangular elements (typified by element 304), herein those skilled in the art. One such function, suitable for use 

denoted "processing blocks," represent computer software with the illustrative embodiment, is a one-way function 

instructions or groups of instructions. The diamond-shaped 5 called "MD2" which is described in detail in a book entitled 

elements (typified by element 302), herein denoted "deci- Network Security, C. Kaufman. R. Perlman and M. Speciner, 

sion blocks." represent computer software instructions or Prentice Hall 1995. A cryptographic hash is distinct from a 

groups of instructions which effect the execution of the key encryption scheme in that the encrypted data can be 

computer software instructions represented by the process- decrypted with the key. However, hashed data cannot be 

ing blocks. The flow diagram does not depict syntax of any 10 "unhashed." 

particular computer pr ogramming language. Rather, the flow Returning back to FIG. 4, the cryptographic hash is then 

diagram illustrates the functional information which one of parsed into a plurality of bit groups in step 408. each of 

ordinary skill in the art would require to generate computer which bit groups will be used to select the icons from the 

software to perform the processing required to decrypt an icon pool. Illustratively, the hashed ID code is parsed into a 

encrypted file structure. It should be noted that many routine 15 plurality of four-bit groups which are used to select one of 

program elements, such as initialization of loops and vari- sixteen icons in an icon pool. 

ables and the use of temporary variables, are not shown. Next, in step 410, the icons identified by the parsed bit 

The routine begins in step 300 and proceeds to step 302 groups are retrieved from the icon pool and. in step 412, the 

where a checkis made to determine whether a user accessing resulting icon pattern is displayed. The routine then finishes 

the system is a new user. This determination might be made, 20 in step 414. 

for example, by examining the login code the user uses to nGSt 6A ^ when placcd toge ther, show an illus- 

log onto the system. If, in step 302, a determination is made ^tnt flowchart which comprises steps in a routine that 

that the user is not a new user then the routine ends in step chaDges me asplay as a character string ^ ente red 

based on the entered characters. The routine starts in step 

Alternatively, if in step 302. a determination is made that 25 600 and proceeds to step 602 where the next password 

the user is new, an ID code is assigned in step 304. This ID character is retrieved from an input device, such as a 

code may be the login code itself, a unique random number keyboard. In step 604, a check is made to determine whether 

or some other code which is assigned by the computer at least a predetermined minimum number of characters 

system from a pool of codes. The code must be selected such have been entered. As previously mentioned, a minimum 

mat it produces a unique graphical pattern on the password 30 number of characters must be entered before the display is 

entry screen for each user in the system. changed in order to prevent observers from memorizing a 

Once the ID code has been assigned, the routine proceeds particular graphic pattern and then using trial and error to 

to step 306 in which a unique display pattern is generated deterraine the password character corresponding to the dis- 

from the new ID code. The steps involved in generating the 35 played pattern. 

display pattern are described in detail in FIG. 4. The routine If the minimum number of characters have not been 

then finishes in step 308. entered then the routine returns to step 602 to retrieve 

FIG. 4 is an illustrative flowchart illustrating the steps another character. Alternatively, if the minimum number of 
used to generate a unique display pattern from an ID code. characters have been received in step 604, the routine 
In particular, the routine begins in step 400 and proceeds to ^ proceeds to step 606 which checks whether a maximum 
step 402 where a user name is received by the system. In step number of characters has been received. If the maximum 
404 the ID code for generating the unique pattern is retrieved number of characters has been received and a valid pass- 
from a secure location. Next, in step 406, the retrieved ID word has not been detected, then an error is displayed in step 
code is used to generate a cryptographic "hash." This hash 610 and the routine proceeds via off-page connectors 616 
is used to generate the graphic pattern so that a person 45 and 624 to terminate in step 634. 
observing a particular pattern could not then discover the ID Alternatively, if, in step 606, less than the maximum 
code. In an illustrative emtodiment, the ED code is hashed number of characters have been entered, the routine pro- 
using. a one-way cryptographic "hash" of the actual ID code ceeds to step 608 where the entered character string is 
combined with other values. These other values can be hashed using a cryptographic technique. Illustratively, the 
predetermined and embedded into the password entry 50 character in the string entered up to that point may be 
software, separately entered by the user or a combination of concatenated with a secret number embedded into the pass- 
both. In particular, the ID code can be simply concatenated word entry software code and the result may be further 
with these other values or combined in another manner and concatenated with another value such as a secret unique 
then hashed. number known to the user, the user' s name, the user's public 

An illustrative apparatus for generating a cryptographic 55 key or an encrypted private key. The concatenation of the 

"hash" of input values is illustrated in FIG. 5. but other, character string with these other values is done to increase 

similar arrangements well-known to those in the art can also the difficulty of deciphering the password character from the 

be used without departing from the scope of the invention. graphic display. Finally, the concatenated value is hashed by 

In particular, as shown in FIG. 5, the other values on input passing it through a one-way function as described above. 

500 and the ID code on input 504 are provided to a ^ In step 612, the resultmg cryptographic hash is parsed into 

concatenator 502. Concatenator 502 simply concatenates the bit groups in order to retrieve icons from the icon pool. In 

bits forming the other values with the bits comprising the ID step 614, the icon bitmaps are retrieved from the pool based 

code and provides the resulting series of bits to a one-way on the parsed bit groups in step 612. The routine then 

function 506. proceeds via off-page connectors 618 and 622 to step 628. 

A one-way function 506 is a well-known function which 65 In step 628, the new icon pattern is displayed to the user, 

accepts a series of bits and performs a series of mathematical The user would observe this new pattern (as schematically 

operations on the bits such that it is substantially impossible, indicated in step 630) and determine whether it is a correct 
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pattern based on his memory of the patterns. If the pattern 
is not correct, the user knows at this point that the program 
into which he is entering password characters is an impostor 
program and would men abort the entry of informatioii in 
step 634. 

Alternatively, the routine proceeds to step 632 if the 
pattern looks correct to the user. In the illustrative 
embodiment, after the user has entered the correct number of 
characters for his password, he would indicate to the system 
in some manner (for example, by pressing a predetermined 
key) that the complete password has been entered and that 
the password should then be checked. If, in step 632, an 
indication that the password is complete and should be 
checked has been received, then the routine finishes in step 
634 and another conventional routine (not shown) would 
check the entered character string for validity. Alternatively, 
if in step 632, it is determined that the entered characters are 
not a complete password, then the routine returns, via 
off-page connectors 626 and 620, to step 602 to await 
another character. 

Although only one embodiment of the invention has been 
disclosed, it will be apparent to those skilled in the art that 
various changes and modifications can be made which will 
achieve some of the advantages of the invention without 
departing from the spirit and scope of the invention. For 
example, various well-known hashing techniques can be 
substituted for those disclosed above to achieve the same 
results. Similarly, the graphic pattern can be generated from 
the user's ID code directly without merely selecting icons 
from a pool of icons. These and other obvious modifications 
are intended to be covered by the appended claims. 

What is claimed is: 

1. Apparatus for establishing a protected channel between 
a user and a computer system in response to a user request, 
the computer system having a memory, a display device and 
an input device, the apparatus comprising: 

means responsive to the user request for generating an 
entry screen display which requests information to be 
entered by the user on the input device; 

means for storing information unique to the user in the 
memory in a manner in which the unique information 
cannot be obtained by persons other man the user; and 

means responsive to the information stored in the memory 
for generating an identifying graphic display which is 
distinct for the user along with the entry screen display. 

2. Apparatus according to claim 1 further comprising: 
means responsive to information entered on the input 

device by the user for modifying the identifying 
graphic display based on the entered information. 

3. Apparatus according to claim 2 wherein the modifying 
means comprises means for delaying the modification of the 
graphic display until a predetermined minimum amount of 
information has been entered. 

4. Apparatus according to claim 2 wherein the modifying 



10 



is 
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6. Apparatus according to claim 1 wherein the identifying 
graphic display generating means comprises means for 
generating a cryptographic hash based on the information 
stored in the memory and means responsive to the crypto- 
graphic hash for generating the identifying graphic display. 

7. Apparatus for establishing a protected channel between 
a user and a computer system during the entry of a password 
by a user, the computer system having a memory, an 
application program running in the memory, a display device 
and an input device, the apparatus comprising: 

means controlled by the application program for gener- 
ating an entry screen display which requests password 
characters to be entered by the user on the input device; 
means for storing an ID code unique to the user in the 
memory in a manner in which the ID code cannot be 
obtained by persons other than the user; and 
means responsive to the ID code far generating a graphic 
display pattern which is distinct for the user as part of 
the entry screen display. 

8. Apparatus according to claim 7 further comprising: 
means responsive to a string of characters entered on the 

input device by the user for modifying the identifying 
graphic display based on all of the entered characters. 

9. Apparatus according to claim 8 wherein the modifying 
means modifies the display after each character is entered. 

10. Apparatus according to claim 8 wherein the modifying 
means comprises means for delaying the modification of the 
graphic display until a predetermined minimum number of 
characters have been entered. 

11. Apparatus according to claim 8 wherein the modifying 
30 means comprises means responsive to a string of characters 

entered on the input device for generating a cryptographic 
hash of the string of characters and means responsive to the 
cryptographic hash for modifying the identifying graphic 
display. 

12. Apparatus according to claim 11 wherein the means 
for generating a cryptographic hash comprises means 
responsive to each entered character for generating the 
parity of the each entered character and means for generat- 
ing a cryptographic hash of the parities of the entered 
characters. 

13. Apparatus according to claim 11 wherein the identi- 
fying graphic display generating means comprises: 

a plurality of icon graphics; 

means responsive to the ID code for selecting a subset of 

the plurality of icon graphics; and 
means for displaying the subset of the plurality of icon 
graphics in a predetermined pattern. 

14. Apparatus according to claim 13 wherein the identi- 
fying graphic display generating means further comprises 
means for generating a cryptographic hash based on the ID 
code and means responsive to the cryptographic hash for 
selecting a subset of the plurality of icon graphics. 

15. A method for establishing a protected channel 
between a user and a computer system in response to a user 



35 
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means comprises means responsive to the information 55 request, the computer system having a memory, a display 



entered on the input device for generating a cryptographic 
hash of the entered information and means responsive to the 
cryptographic hash for modifying the identifying graphic 
display. 

5. Apparatus according to claim 1 wherein the identifying 
graphic display generating means comprises: 
a plurality of icon graphics; 

means responsive to the information stored in the memory 
for selecting a subset of the plurality of icon graphics; 
and 

means for displaying the subset of the plurality of icon 
graphics in a predetermined pattern. 



device and an input device, the method comprising the steps 
of: 

A. generating an entry screen display which requests 
information to be entered by the user on the input 

50 device; 

B. storing information unique to the user in the memory 
in a manner in which the unique information cannot be 
obtained by persons other than the user; and 

C. generating an identifying graphic display based on the 
65 unique information which identifying graphic display 

is distinct for the user along with the entry screen 
display. 
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16. A method according to claim 15 further comprising 
the steps of: 

D. modifying the identifying graphic display based on 
information entered by the user on the input device. 

17. A method according to claim 16 wherein step D 5 
comprises the steps of: 

Dl. delaying the modification of the graphic display until 
a predetermined minimum amount of information has 
been entered. 

18. A method according to claim 16 wherein step D 10 
comprises the steps of: 

D2. generating a cryptographic hash of the entered infor- 
mation in response to the information entered on the 
input device; and 15 

D3. modifying the identifying graphic display based on 
the cryptographic hash. 

19. A method according to claim 15 wherein step C 
comprises the steps of: 

CL storing a plurality of icon graphics in the memory; 20 

C2. selecting a subset of the plurality of icon graphics 
based on the information stored in the memory; and 

C3. displaying the subset of the plurality of icon graphics 
in a predetermined pattern. 
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20. A method according to claim 15 wherein step C 
further comprises the steps of: 

C4. generating a cryptographic hash based on the infor- 
mation stored in the memory; and 

C5. generating the identifying graphic display based on 
the cryptographic hash. 

21. A computer program product for establishing a pro- 
tected channel between a user and a computer system in 
response to a user request, the computer system having a 
memory, a display device and an input device, the computer 
program product comprising: 

a computer useable medium comprising: 

means responsive to the user request for generating an 
entry screen display which requests information to be 
entered by the user on the input device; 

means for storing information unique to the user in the 
memory in a manner in which the unique information 
cannot be obtained by persons other than the user; and 

means responsive to the information stored in the memory 
for generating an identifying graphic display which is 
distinct for the user along with the entry screen display. 
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